364 matches found
CVE-2026-57698
Authentication Bypass Using an Alternate Path or Channel vulnerability in VillaTheme Abandoned Cart Recovery for WooCommerce woo-abandoned-cart-recovery allows Authentication Abuse.This issue affects Abandoned Cart Recovery for WooCommerce: from n/a through = 1.1.12...
CVE-2026-57698
CVE-2026-57698 affects the WordPress plugin Abandoned Cart Recovery for WooCommerce (woo-abandoned-cart-recovery), with versions up to and including 1.1.12. The issue is an Authentication Bypass/Authentication Abuse via an alternate path or channel, enabling unauthorized access as described in th...
golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters
A flaw was found in golang.org/x/crypto/ssh. The RSA and DSA public key parsers in the affected component did not enforce size limits on key parameters. This vulnerability allows an unauthenticated client to provide a crafted public key with an excessively large modulus or DSA parameter during...
CVE-2026-4767
Missing authentication for critical function vulnerability in TR7 Cyber Defense Inc. WAF-ASP allows Authentication Abuse. This issue affects WAF-ASP: from v1.0.324.900 before v1.4.0.117...
EUVD-2026-41371
Missing authentication for critical function vulnerability in TR7 Cyber Defense Inc. WAF-ASP allows Authentication Abuse. This issue affects WAF-ASP: from v1.0.324.900 before v1.4.0.117...
CVE-2026-4767
Missing authentication for critical function vulnerability in TR7 Cyber Defense Inc. WAF-ASP allows Authentication Abuse. This issue affects WAF-ASP: from v1.0.324.900 before v1.4.0.117...
CVE-2026-4767
Technical details (affected product/version, root cause, impact, or remediation) are not publicly provided in the supplied documents. Monitor for updates.
CVE-2026-50176 EVoke Systems EVoke CSMS Improper Restriction of Excessive Authentication Attempts
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks or brute-force attacks to gain unauthorized access...
CVE-2026-1816
Improper restriction of excessive authentication attempts vulnerability in Turkiye Electricity Transmission Corporation TEİAŞ Mobile Application allows Brute Force. This issue affects Mobile Application: from 1.6.2 before 1.13...
CVE-2026-10216
A vulnerability was detected in unitedbyai droidclaw up to 0.5.3. The affected element is an unknown function of the file server/src/routes/pairing.ts of the component claim Endpoint. The manipulation results in improper restriction of excessive authentication attempts. The attack may be launched...
Nginx-UI: Authenticated settings disclosure exposes node.secret and enables trusted-node authentication abuse, backup exfiltration, and restore-based nginx-ui state rollback
An authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret. The same node.secret is accepted by AuthRequired through the X-Node-Secret header or nodesecret query parameter, causing the request to be treated as authenticated via the...
CVE-2026-42220
Nginx UI (nginx-ui) prior to version 2.3.8 exposes a vulnerability where an authenticated user can call GET /api/settings to retrieve sensitive values, including node.secret. The node.secret is accepted by AuthRequired() via the X-Node-Secret header (or node_secret query parameter), allowing the ...
Breaking the code: Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise
In this article 1. Multi-step social engineering campaign leading to credential theft 2. Mitigation and protection guidance 3. Microsoft Defender detections 4. Hunting queries 5. Indicators of compromise Phishing campaigns continue to improve sophistication and refinement in blending social...
CVE-2026-41232
Froxlor is open source server administration software. Prior to version 2.3.6, in EmailSender::add, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to...
CVE-2026-3614
The AcyMailing plugin for WordPress is vulnerable to privilege escalation in all versions From 9.11.0 up to, and including, 10.8.1 due to a missing capability check on the wpajaxacymailingrouter AJAX handler. This makes it possible for authenticated attackers, with Subscriber-level access and...
CVE-2026-5465
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.3. This is due to the UpdateProviderCommandHandler failing to validate changes to the externalId field when a Provider Employe...
CVE-2026-25406
Authentication Bypass Using an Alternate Path or Channel vulnerability in Themeum Tutor LMS Pro tutor-pro allows Authentication Abuse.This issue affects Tutor LMS Pro: from n/a through = 3.9.4...
CVE-2026-32497
Weak Authentication vulnerability in PickPlugins User Verification user-verification allows Authentication Abuse.This issue affects User Verification: from n/a through = 2.0.45...
EUVD-2026-15843
Weak Authentication vulnerability in PickPlugins User Verification user-verification allows Authentication Abuse.This issue affects User Verification: from n/a through = 2.0.45...
EUVD-2026-15717
Authentication Bypass Using an Alternate Path or Channel vulnerability in Themeum Tutor LMS Pro tutor-pro allows Authentication Abuse.This issue affects Tutor LMS Pro: from n/a through = 3.9.4...